HIPAA and Protecting PHI

HIPAA: Securing Your Patient Information and Guarding Your Reputation

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has served as a compliance matter, with most organizations seeking to comply with HIPAA just enough not to be fined. However, the federal government has offered incentives to Medicare-eligible hospitals and professionals to invest in electronic health record (EHR) technology. It is advantageous for organizations to use this opportunity to simultaneously upgrade their protected health information (PHI) security and privacy processes.

Through this process, healthcare organizations have found that:

  • A major requirement for funding is compliance with HIPAA’s security and privacy provisions as finalized by the Health Information Technology for Economic and Clinical Health Act (HITECH)
  • Changes require organizations to conduct security and privacy risk analyses, implement security updates, and correct security deficiencies
  • HIPAA audits are underway and the consequences of noncompliance can be severe for both organizations and individual staff members

Consequences of Noncompliance Under HIPAA

Violation Category Penalty for Each Violation Max. Annual Penalty
Did not know $100 - $50,000 $1,500,000
Reasonable cause $1,000 - $50,000 $1,500,000
Willful neglect – corrected $10,000 - $50,000 $1,500,000
Willful neglect – not corrected $50,000 $1,500,000

How Crowe Horwath LLP Can Help

To help healthcare organizations assess the effectiveness of their PHI security and privacy and ultimately their HIPAA compliance, Crowe has developed a pragmatic, achievable approach to HIPAA compliance. Crowe uses a five-step approach for security and privacy risk analysis that can be conducted by knowledgeable, independent staff or outside resources.

Through striving for meaningful use funds, HIPAA compliance, and overall increased security maturity, the following are the top five challenges that impact healthcare information security:

  1. IT security governance
  2. Application security
  3. The security management process
  4. Information infrastructure security
  5. Third-party risk management (vendor management life cycle)

Crowe HIPAA-related services include:

  • HIPAA evaluation and gap assessment
  • Remediation assistance
  • Control risk and gap assessment
  • HIPAA audit readiness assessment
  • Healthcare information security strategy
  • Independent testing of security controls

The results provide for:

  • Understanding of the gaps between regulatory requirements and data security needs
  • Prioritization of risks to the security of an organization’s PHI ecosystem
  • Identification and plans to address PHI security risks
  • Recommendation of practical, achievable action plans to help effectively reduce risk